Mike’s at the Jersey Shore, Rich is in Boulder, and Adrian is… baking in Phoenix in between tree-killing monsoons. This week we kept it simple with two topics. First up, China’s accusations that iOS and iDevices are a security risk. Which they should know, since they are all built there. Second is a discussion on security careers. How to break in, and what hiring managers should really look for.
In the introduction to our Leveraging Threat Intelligence in Incident Response/Management series we described how the world has changed since we last documented our incident response process. Adversaries are getting better and using more advanced tactics. The difficulty is compounded by corporate data escaping our control into the cloud, and the proliferation of mobile devices.
So a couple of weeks ago in the Incite (4th snippet) I gave Jamie Arlen huge kudos for being a soothsayer. At Black Hat 2011 Jamie presented an attack scenario attacking high frequency trading networks, and Bloomberg recently reported that attack actually hit a hedge fund.
I have to admit, this is a bit of a first.
I am participating in a cloud security webinar July 21st with Elastica, a cloud application security gateway firm (that’s the name I’m playing with for this category). It will be less slides and more discussion, and not about their product. This is a product category I have started getting a lot of questions on, even if there isn’t a standard name yet, and I will probably pop off a research paper on it this fall.
Well, I did it. I survived over 6 months of weekly travel (the reason I haven’t been writing much). Even the one where the client was worried I was going to collapse due to flu in the conference room, and the two trips that started with me vomiting at home the morning I had to head to the airport.
A few weeks ago I was complaining about travel and not being home – mostly because I’m on family vacations and doing work I enjoy. I acknowledged these are first world problems. I didn’t appreciate what that means. You lose touch with a lot of folks’ reality when you are in the maelstrom of your own crap. I’m too busy. The kids have too many activities. There are too many demands on my time.
We love data – especially when it tells us what people are doing about security. Which is why we were thrilled at the opportunity to provide a – dare I say open? – analysis of the 2014 Open Source Development and Application Security survey. And today we launch the complete research paper with our analysis of the results. Here are a couple highlights:
The three basic data centric security tools are tokenization, masking, and data element encryption. Now we will discuss what they are, how they work, and which security challenges they best serve.
It’s hard to be a defender today. Adversaries continue to innovate, attacking software which is not under your control. These attacks move downstream as low-cost attack kits put weaponized exploits in the hands of less sophisticated adversaries, making them far more effective. But frequently attackers don’t even need to use innovative attacks because a little reconnaissance and a reasonably crafted phishing message can effectively target and compromise your employees. The good news is that we…
It seems to be all threat intelligence all the time in the tech media, so I might as well jump on the bandwagon. My pals Wendy Nather of 451 and Jamie Blasco of AlienVault recently did a webcast on the topic. Dan Raywood has a good overview of the content. Wendy does the analyst thing and categorizes the different types of threat intelligence. She points out that sharing is taking place, but more slowly than it should. Jamie then makes a compelling case for why everyone should share threat intel…